Document toolboxDocument toolbox

Detections in Devo SOAR

Owned by Borja Moro Moreno
Aug 30, 2024
6 min read
[ 1 About detections ] [ 2 Exploring the Detection Coverage ] [ 3 Import Use Cases ]

About detections

Detection is the process of analyzing the complete security ecosystem to identify any malicious activity. If a threat is identified, mitigating measures must be taken to effectively neutralize it before it can exploit any existing vulnerabilities.

To guard your environment against malicious activities, Devo SOAR provides use cases to detect attacker techniques. A use case is a package that contains a playbook and the associated resources that are required for the playbook to work. The use cases are based on the MITRE system for the management of detection coverage and risk. MITRE is an organization that maintains a catalog of techniques used by attackers to breach security.

You can deploy available use cases by importing them and then setting up the playbook that is created to work in your environment. To view and manage detections and use cases, click Use Cases on the navigation pane on the left, and then Detection Coverage at the top.

10_Detections.png

Exploring the Detection Coverage

Top charts: summary

The panels at the top provide a summary view of the following information:

  • Devo SOAR Technique Coverage: Number of techniques for which Devo SOAR has at least one use case relative to the total number of available techniques.

  • Techniques Defended: Number of techniques for which your organization already has use cases relative to the total number of available techniques.

  • Use Cases Configured: Number of use cases that your organization has configured relative to the total number of use cases that Devo SOAR offers. This number is typically higher than the number of techniques defended because a technique can have multiple use cases.

  • MITRE Detections Configured: Number of MITRE use cases that your organization has configured relative to the total number of use cases that Devo SOAR offers. This number is typically higher than the number of techniques defended because a technique can have multiple use cases.

20_Detections.png

Main body: details

The main body of the page below the summary area contains a table of coverage or use cases. MITRE Coverage is the default view. To change to a different view, select one of the following options from the drop-down list at the top right of the main body.

  • MITRE Coverage (default): Displays the MITRE matrix containing the detections that are categorized inside the MITRE framework. The matrix is organized by tactics (columns) and techniques (cells), and the cells are color coded based on the availability of detections inside a technique (a legend is included above the matrix):
    Clicking a cell will open the details of the technique, as well as the related detections for you to check their details or import their use cases (see section below).

    • Available (light green): There are use cases available in this technique for import.

    • Imported (dark green): There are at least one use case in this technique already imported, but there may be others still available for import.

    • Unavailable (white): Devo SOAR doesn’t yet have a use case for this technique. To request it, contact support.

  • All Detections: Lists all detections, including those that are not categorized inside the MITRE framework. Clicking a row will open the details of the detection, as well as the related use case for you to check its details or import it (see section below).

  • All Use Cases: List all use cases that are available, including MITRE-related ones and those that your organization has imported. Clicking a row will open the details of the use case, as well as the option to import it (see section below).

In any of the three views you can use the search and filters available. Enter a search string or select options from the different filter drop-downs and the matches will be displayed. There are some considerations when using filters:

  • Selecting several options in the same filter will combine them using an OR basis, returning items that match any of the options (match one OR the other). For example, using Available and Imported (Status) will return all items that are either Available or Imported.

  • Using several filters will combine them using an AND basis, returning only those items that match both options (match one AND the other). For example, using the Available (Status) and the Windows Logs (Source) will return only those items that use Windows Logs and are Available.

  • You can configure a predefined filter containing Sources to later apply it and save time. Simply click on Configure at the top right, select the desired sources, and click Save. To apply it, click Apply My Filters on the filters section.

Updating the coverage

Click on the refresh icon next to the main body’s title when you make any changes to view the updated results. A successful message will appear once the updates are checked.

Import Use Cases

Accessing the import menu

  • From MITRE Coverage: click the desired cell to open a side panel that shows details about the technique and the available use cases, along with suggested situations where the use case can be helpful. To import a use case, click Import.

  • From All Detections: click the desired detection to open a side panel that shows its details. Click on the Use Case tab to see the related use case and then click on the use case tile to open another side panel with the details of the use case. To import the use case, click Import at the top of the newly opened panel.

  • From All Use Cases: click the desired use case to open a side panel that shows its details. Click Import at the top of the panel.

Resolving conflicts and finishing import

The list of dependencies and conflicts for the use case is presented, along with options to resolve comments and rename items. You can select all items to apply the same conflict solution for all of them, or decide individually by clicking on each of them to show the possibilities.

On the next screen you see a summary where you can check the content of the use case and its dependencies (with the conflict-solving options selected) and click Finish Import if you’re satisfied with the outcome. For more information, see Export and Import Playbooks.

Schedule as stream

Once you successfully complete the import, you will receive a confirmation message that informs you about the need of scheduling it as a stream for an automatic use. Inside the message ,you have a direct option to do this but you can also postpone it. For more information, see Activate Playbooks using Streams.

Updating, editing, and publishing use case

When the import is complete, the status is updated to Imported. Following import, the use case is now available on the Playbooks page, where you can open and edit the playbook as you would any other playbook that you created or has been shared with you.

Additionally, a Usage Summary tab is added to the use case details, and the import button is substituted with the following buttons:

  • Update: imports the use case again to fetch any changes that might have been applied.

  • Edit: opens the edit menu, where you can change its content and details.

  • Publish Update: make this use case public so that other users can use it.

For more information, see Share Use Cases with others.

Â